Setting up SSL certificate locations in Linux

Steven Haddox edited this page Feb 4, 2015 · 4 revisions

Omniauth uses Faraday to process SSL requests, such as the Facebook authenticate callback. By default, Faraday isn't aware of where your SSL certificates are on your server. If this is the case, you may see an error similar to:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):

To fix this, modify your provider setup to include your certificates path. For example, you could have a setup file called omniauth.rb in config/init (Rails 3.0.x)

Rails.application.config.middleware.use OmniAuth::Builder  do
  provider :facebook, APP_ID, APP_SECRET,
     {:client_options => {:ssl => {:ca_path => "/etc/ssl/certs"}}}  # Modify this with your SSL certificates path

Alternatively, the above code can be placed in application.rb

Your certificates folder may not be /etc/ssl/certs. Linux users can type in the terminal openssl version -a to determine their system ssl certs folder, listed as OPENSSLDIR. You will likely have to append /certs onto this folder name. Note that the reported directory may be a symbolic link on your system to another folder (for Ubuntu 10.10, /usr/lib/ssl/certs points to /etc/ssl/certs, so either will work).

Note that this fix is written specifically for Omniauth 0.2.2. If you have an earlier version, you will have to update in order to specify your SSL certificates path.

Heroku, Fedora, CentOS

Users reported having to point to a specific file on these systems (example for Heroku)

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, 'YOUR_APP_ID', 'YOUR_SECRET_KEY',
           {:scope => 'PERMISSION_1, PERMISSION_2, ETC', :client_options => {:ssl => {:ca_file => '/usr/lib/ssl/certs/ca-certificates.crt'}}}

Ensure that any Facebook permissions you require are in the same hash as :client_options.

On Fedora and CentOS, use /etc/pki/tls/certs/ca-bundle.crt instead, or find your system path with openssl version -a.

Full options available from Faraday

It seems that Faraday's documentation regarding what options exist around it's SSL configuration is fairly sparse. The following options might be useful when you need to customize your SSL setup:

ca_file      (e.g., /usr/lib/ssl/certs/ca-certificates.crt)
ca_path      (e.g., /usr/lib/ssl/certs)

Many developers have indicated that having just the ca_path setting is often not enough. Make sure you've tried to add full paths for ca_file, client_cert, and client_key as a starting point if ca_path is insufficient.

##Solutions to avoid

Some online posts suggest disabling SSL with a command similar to the following:


This isn't advisable in production code as you're weakening security on private user information (in the Facebook or other third party callback hash).

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.